Re: [TLS] HSM-friendly Key Computation

Hugo Krawczyk <hugo@ee.technion.ac.il> Fri, 24 April 2015 21:37 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A526B1A1B3F for <tls@ietfa.amsl.com>; Fri, 24 Apr 2015 14:37:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tYT0E-aG_R2v for <tls@ietfa.amsl.com>; Fri, 24 Apr 2015 14:37:18 -0700 (PDT)
Received: from mail-lb0-x231.google.com (mail-lb0-x231.google.com [IPv6:2a00:1450:4010:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB7291A1B12 for <tls@ietf.org>; Fri, 24 Apr 2015 14:37:17 -0700 (PDT)
Received: by lbbuc2 with SMTP id uc2so45817627lbb.2 for <tls@ietf.org>; Fri, 24 Apr 2015 14:37:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=Vn6FosxI7R9Ldfc1E9uULgXSv6Ky4dO+UVUxqaLoh7g=; b=sJ3yxgTOyEuLDC4iywDYsoTmLtKzp9KePsmoLDib3nUqquLuA6SlIadJJ2/Iqs9FdY dZjysFIT+BwjpS7inzLRctnJTkg/rOn3UFf827kQlhwpM4+CEfiQoFsgKw4l5wasxuOD KR5Rs/M6SzSzPDdUrH2630WD2dF/uBUOXl87mKXFSjWAVuslEOb3oELqHGkDFOsoyI0p WzJE0TJRbV3XGqE7IXKJEIgJHhUkwZfpWC4hsvOa7gw/m/b64QpS+JnD4KgQGsU1RUxR o7BaAx7aVa5zwPFdwWM0FoEHsijcQHK5ssGyjPFj94FRJygVDidjHUpCAPITorVq6URw Bksw==
X-Received: by 10.152.88.1 with SMTP id bc1mr318556lab.79.1429911436428; Fri, 24 Apr 2015 14:37:16 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.78.66 with HTTP; Fri, 24 Apr 2015 14:36:45 -0700 (PDT)
In-Reply-To: <CABcZeBNx0AvTSXAEfr1pCt-+d_8nztuCZCmVgJ8UxoLtRsfZ1g@mail.gmail.com>
References: <0694C3DB-FB87-42A2-BCC4-CC0F761E9A03@vigilsec.com> <9A043F3CF02CD34C8E74AC1594475C73AB000B0C@uxcn10-tdc05.UoA.auckland.ac.nz> <5533F8D6.9070500@nthpermutation.com> <20150420064243.GA7322@LK-Perkele-VII> <CANeU+ZAL6oT6tP7OcL_8j6kp4oZB9V89R-0PrCdv-N27qVb0HQ@mail.gmail.com> <20150420163755.GA15511@LK-Perkele-VII> <5537D43A.9080802@REDHAT.COM> <20150422173526.GA14496@LK-Perkele-VII> <CABcZeBPN33DM_C0sAmCTFCTdNrcQ7y7eEBcZgPe+2f1EaxtXzA@mail.gmail.com> <55381302.5030307@nthpermutation.com> <CABcZeBN1W-KyNnPd9qU9dFP3dG8E=F1hOyK1NoeH-tsQT8XrFw@mail.gmail.com> <553925F7.5010704@nthpermutation.com> <CABcZeBNx0AvTSXAEfr1pCt-+d_8nztuCZCmVgJ8UxoLtRsfZ1g@mail.gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Fri, 24 Apr 2015 17:36:45 -0400
X-Google-Sender-Auth: RiHolBBPUaIekVypdLY3-Uq4ZkE
Message-ID: <CADi0yUPahzbqSNwu6t_1=CenK2P737A6c4Rmpa8Y_TG6J1iX+w@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary=001a11c3540c3a8c7305147f338e
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/9td1-yIuWNxKt3TbOFzqu5i4Mvo>
Cc: "tls@ietf.org" <tls@ietf.org>, Hoeteck Wee <hoeteck@alum.mit.edu>
Subject: Re: [TLS] HSM-friendly Key Computation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2015 21:37:20 -0000

On Thu, Apr 23, 2015 at 4:07 PM, Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Thu, Apr 23, 2015 at 1:03 PM, Michael StJohns <msj@nthpermutation.com>
> wrote:
>
>>  On 4/22/2015 7:03 PM, Eric Rescorla wrote:
>>
>>
>>
>> On Wed, Apr 22, 2015 at 5:30 PM, Michael StJohns <msj@nthpermutation.com>
>> wrote:
>>
>>>  On 4/22/2015 1:37 PM, Eric Rescorla wrote:
>>>
>>> If we're using HKDF-Extract, can we just key off different labels?
>>>
>>>  -Ekr
>>>
>>>
>>  Sorry, read that as "HKD-Expand".
>>
>> Actually, use HKDF as the term with no expand or extract suffix.
>>
>
> I discussed this extensively with Hugo and Hoeteck and their advice was to
> use
> them separately in a similar way to what's here (though they suggested a
> slightly
> different hierarchy which I have to edit in). Perhaps Hugo will weigh in
> as to
> the reasoning.
>

​I've just addressed this issue in an email in the
"confirming the room’s consensus: adopt HKDF PRF for TLS 1.3" thread
(it's the first point in the list of issues in that email).

Hugo


> -Ekr
>
>
>> Mike
>>
>>
>>
>>
>>
>>  -Ekr
>>
>>
>>>  Basically, no.
>>>
>>> The Extract function is really not designed to be used standalone but as
>>> a way of concentrating entropy for input to the expansion phase.  Its
>>> dangerous to talk of these functions as separately callable.  They are
>>> steps not separate functions.
>>>
>>>  The extract step's only non-key input - salt - is not the same as the
>>> "info" input used in the expand phase - 'salt' is supposed to be missing or
>>> random,  not a fixed string like a label.
>>>
>>> "info" is where the various labels go and that's only present in the
>>> expand phase.
>>>
>>>
>>> What you want to do is specify as part of the mixins (e.g. 'info' - e.g.
>>> the collection of label and context)  a set of fields that describe 1) how
>>> the key stream is going to be broken up (eg. lengths of the sub keys), 2)
>>> what algorithms will use each of the parts of the key stream, and 3)
>>> whether or not those parts are allowed to be exported/extracted.
>>>
>>> A software module will basically ignore these because - really - its all
>>> the same memory although it should really make sure the key lengths and
>>> types matc.  An HSM will look at these and be able to make policy decisions
>>> for protection of the segments (e.g. preventing export of material that was
>>> created to be non-exportable).
>>>
>>> Having all of these in the mixins means that the key stream expansion
>>> completely changes if ANY of these mixins change which in turn means  that
>>> the various ways you can use to extract truly secret key material (as
>>> differentiated from exportable material) from an HSM using the currently
>>> defined mechanism can be eliminated.  (I can explain my reasoning if
>>> necessary).
>>>
>>>
>>> Mike
>>>
>>>
>>>
>>>
>>> On Wed, Apr 22, 2015 at 1:35 PM, Ilari Liusvaara <
>>> ilari.liusvaara@elisanet.fi> wrote:
>>>
>>>> On Wed, Apr 22, 2015 at 10:02:50AM -0700, Robert Relyea wrote:
>>>> > On 04/20/2015 09:37 AM, Ilari Liusvaara wrote:
>>>> > >
>>>> > >There are other places in TLS that fundamentally need to
>>>> (indirectly) derive
>>>> > >public data out of secret key material.
>>>> > That's not a a problem. The problem is using the same mechanism to
>>>> derive
>>>> > the public data that we use to derive the keys.
>>>> > It's even OK to use the same secret key for both (from an HSM POV).
>>>> >
>>>> > What Michael is saying is that there are existing functions for both
>>>> KDF
>>>> > (secret material -> key) and Mac (secret material-> unique public
>>>> data).
>>>> > He's requesting that TLS not have it's own versions of these
>>>> functions.
>>>>
>>>> So would using two different PRF functions, one for parts that don't
>>>> downgrade and another for parts that do downgrade (e.g. IV derivation,
>>>> unique / finished calculations, exporter calculations, etc..) solve the
>>>> issue?
>>>>
>>>> (Of course, the two functions should be closely related, so not to
>>>> annoy software implementations too much)...
>>>>
>>>>
>>>> -Ilari
>>>>
>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tls
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> TLS mailing listTLS@ietf.orghttps://www.ietf.org/mailman/listinfo/tls
>>>
>>>
>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>>
>>
>>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>